diff --git a/share/dataset-pg/directus.tf b/share/dataset-pg/directus.tf
new file mode 100644
index 0000000..8aed614
--- /dev/null
+++ b/share/dataset-pg/directus.tf
@@ -0,0 +1,232 @@
+locals {
+  directus-labels = merge(local.common-labels, {
+    "app.kubernetes.io/component" = "directus"
+  })
+  directus-dns-name = "directus.${local.dns-name}"
+  directus-service = {
+    "name"  = "directus-${var.instance}"
+    "port" = {
+      "number" = 80
+    }
+  }
+}
+
+data "kubernetes_secret_v1" "authentik" {
+  metadata {
+    name      = "authentik"
+    namespace = "${var.domain}-auth"
+  }
+}
+
+data "kubernetes_ingress_v1" "authentik" {
+  metadata {
+    name = "authentik"
+    namespace = "${var.domain}-auth"
+  }
+}
+
+resource "kubectl_manifest" "directus_config" {
+  count = var.extentions.directus.enable ? 1:0
+  yaml_body  = <<-EOF
+    apiVersion: v1
+    kind: ConfigMap
+    metadata:
+      name: "${var.component}-${var.instance}-directus"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.directus-labels)}
+    data:
+      PORT: "8055"
+      DB_CLIENT: "pg"
+      DB_DATABASE: "${var.instance}"
+      DB_HOST: "${var.instance}-${var.component}-rw.${var.namespace}.svc"
+      DB_PORT: "5432"
+      STORAGE_LOCATIONS: "local"
+      STORAGE_LOCAL_ROOT: "/var/store"
+      ADMIN_EMAIL: "admin@${var.domain-name}"
+      TELEMETRY: "false"
+      AUTH_PROVIDERS: "vynil"
+      AUTH_VYNIL_DRIVER: "oauth2"
+      AUTH_VYNIL_ISSUER_URL: "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/directus-${var.instance}/.well-known/openid-configuration"
+      AUTH_VYNIL_IDENTIFIER_KEY: "nickname"
+  EOF
+}
+
+resource "kubectl_manifest" "directus_secret" {
+  count = var.extentions.directus.enable ? 1:0
+  ignore_fields = ["metadata.annotations"]
+  yaml_body  = <<-EOF
+    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
+    kind: "StringSecret"
+    metadata:
+      name: "${var.component}-${var.instance}-directus"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.directus-labels)}
+    spec:
+      forceRegenerate: false
+      fields:
+      - fieldName: "KEY"
+        length: "32"
+      - fieldName: "SECRET"
+        length: "32"
+      - fieldName: "ADMIN_PASSWORD"
+        length: "16"
+  EOF
+}
+
+resource "kubectl_manifest" "directus_pvc" {
+  count = var.extentions.directus.enable ? 1:0
+  yaml_body  = <<-EOF
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: "${var.component}-${var.instance}-directus"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.common-labels)}
+    spec:
+      accessModes:
+      - "${var.storage.accessMode}"
+      resources:
+        requests:
+          storage: "${var.storage.size}"
+      volumeMode: "${var.storage.type}"
+  EOF
+}
+
+
+resource "kubectl_manifest" "directus_deploy" {
+  count = var.extentions.directus.enable ? 1:0
+  yaml_body  = <<EOF
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: "${var.component}-${var.instance}-directus"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.directus-labels)}
+    spec:
+      replicas: 1
+      selector:
+        matchLabels: ${jsonencode(local.directus-labels)}
+      template:
+        metadata:
+          labels: ${jsonencode(local.directus-labels)}
+        spec:
+          securityContext:
+            fsGroup: 1000
+            runAsGroup: 1000
+            runAsUser: 1000
+          restartPolicy: Always
+          containers:
+          - name: directus
+            securityContext:
+              fsGroup: 1000
+              runAsGroup: 1000
+              runAsNonRoot: true
+              runAsUser: 1000
+            env:
+            - name: AUTH_VYNIL_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  key: "client-id"
+                  name: "directus-${var.instance}-id"
+            - name: AUTH_VYNIL_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  key: "client-secret"
+                  name: "directus-${var.instance}-id"
+            - name: DB_USER
+              valueFrom:
+                secretKeyRef:
+                  key: username
+                  name: "${var.instance}-${var.component}-app"
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: password
+                  name: "${var.instance}-${var.component}-app"
+            envFrom:
+            - secretRef:
+                name: "${var.component}-${var.instance}-directus"
+            - configMapRef:
+                name: "${var.component}-${var.instance}-directus"
+            image: "${var.extentions.directus.image.registry}/${var.extentions.directus.image.repository}:${var.extentions.directus.image.tag}"
+            imagePullPolicy: "${var.extentions.directus.image.pullPolicy}"
+            ports:
+            - containerPort: 8055
+              name: http
+              protocol: TCP
+            livenessProbe:
+              failureThreshold: 3
+              httpGet:
+                path: /
+                port: http
+                scheme: HTTP
+              periodSeconds: 10
+              successThreshold: 1
+              timeoutSeconds: 1
+            readinessProbe:
+              failureThreshold: 3
+              httpGet:
+                path: /
+                port: http
+                scheme: HTTP
+              periodSeconds: 10
+              successThreshold: 1
+              timeoutSeconds: 1
+            volumeMounts:
+            - name: store
+              mountPath: /var/store
+          volumes:
+          - name: store
+            persistentVolumeClaim:
+              claimName: "${var.component}-${var.instance}-directus"
+EOF
+}
+
+module "directus-service" {
+  count = var.extentions.directus.enable ? 1 : 0
+  source = "/dist/modules/service"
+  component         = "directus"
+  instance          = var.instance
+  namespace         = var.namespace
+  labels            = local.directus-labels
+  target            = "http"
+  port              = local.directus-service.port.number
+  providers = {
+    kubectl = kubectl
+  }
+}
+
+module "directus-ingress" {
+  count = var.extentions.directus.enable ? 1 : 0
+  source = "/dist/modules/ingress"
+  component         = "directus"
+  instance          = var.instance
+  namespace         = var.namespace
+  issuer            = var.issuer
+  ingress-class     = var.ingress-class
+  labels            = local.directus-labels
+  dns-names         = [local.directus-dns-name]
+  create-redirect   = true
+  middlewares       = []
+  service           = local.directus-service
+  providers = {
+    kubectl = kubectl
+  }
+}
+
+module "directus-oauth2" {
+  count = var.extentions.directus.enable ? 1 : 0
+  source = "/dist/modules/oauth2"
+  component         = "directus"
+  instance          = var.instance
+  namespace         = var.namespace
+  labels            = local.directus-labels
+  dns-name          = local.directus-dns-name
+  redirect-path     = ""
+  providers = {
+    kubernetes = kubernetes
+    kubectl = kubectl
+    authentik = authentik
+  }
+}
+
diff --git a/share/dataset-pg/index.yaml b/share/dataset-pg/index.yaml
index 9b74602..0d6389c 100644
--- a/share/dataset-pg/index.yaml
+++ b/share/dataset-pg/index.yaml
@@ -6,11 +6,25 @@ metadata:
   name: dataset-pg
   description: null
 options:
-  sub-domain:
-    default: dataset-pg
+  domain:
+    default: your-company
     examples:
-    - dataset-pg
+    - your-company
     type: string
+  storage:
+    default: 8Gi
+    examples:
+    - 8Gi
+    type: string
+  databases:
+    default: []
+    items:
+      properties:
+        name:
+          default: db
+          type: string
+      type: object
+    type: array
   roles:
     default: []
     items:
@@ -20,13 +34,79 @@ options:
           type: string
       type: object
     type: array
-  storage:
-    default: 8Gi
+  sub-domain:
+    default: dataset-pg
     examples:
-    - 8Gi
+    - dataset-pg
     type: string
+  replicas:
+    default: 1
+    examples:
+    - 1
+    type: integer
+  backups:
+    default:
+      enable: false
+      endpoint: ''
+      key-id-key: s3-id
+      retention:
+        db: 30d
+      schedule:
+        db: 0 3 * * *
+      secret-key: s3-secret
+      secret-name: backup-settings
+    examples:
+    - enable: false
+      endpoint: ''
+      key-id-key: s3-id
+      retention:
+        db: 30d
+      schedule:
+        db: 0 3 * * *
+      secret-key: s3-secret
+      secret-name: backup-settings
+    properties:
+      enable:
+        default: false
+        type: boolean
+      endpoint:
+        default: ''
+        type: string
+      key-id-key:
+        default: s3-id
+        type: string
+      retention:
+        default:
+          db: 30d
+        properties:
+          db:
+            default: 30d
+            type: string
+        type: object
+      schedule:
+        default:
+          db: 0 3 * * *
+        properties:
+          db:
+            default: 0 3 * * *
+            type: string
+        type: object
+      secret-key:
+        default: s3-secret
+        type: string
+      secret-name:
+        default: backup-settings
+        type: string
+    type: object
   extentions:
     default:
+      directus:
+        enable: false
+        image:
+          pullPolicy: IfNotPresent
+          registry: docker.io
+          repository: directus/directus
+          tag: 10.6.4
       pool:
         enable: false
       postgrest:
@@ -43,7 +123,14 @@ options:
           repository: swaggerapi/swagger-ui
           tag: v5.9.0
     examples:
-    - pool:
+    - directus:
+        enable: false
+        image:
+          pullPolicy: IfNotPresent
+          registry: docker.io
+          repository: directus/directus
+          tag: 10.6.4
+      pool:
         enable: false
       postgrest:
         enable: false
@@ -59,6 +146,39 @@ options:
           repository: swaggerapi/swagger-ui
           tag: v5.9.0
     properties:
+      directus:
+        default:
+          enable: false
+          image:
+            pullPolicy: IfNotPresent
+            registry: docker.io
+            repository: directus/directus
+            tag: 10.6.4
+        properties:
+          enable:
+            default: false
+            type: boolean
+          image:
+            default:
+              pullPolicy: IfNotPresent
+              registry: docker.io
+              repository: directus/directus
+              tag: 10.6.4
+            properties:
+              pullPolicy:
+                default: IfNotPresent
+                type: string
+              registry:
+                default: docker.io
+                type: string
+              repository:
+                default: directus/directus
+                type: string
+              tag:
+                default: 10.6.4
+                type: string
+            type: object
+        type: object
       pool:
         default:
           enable: false
@@ -131,96 +251,34 @@ options:
             type: object
         type: object
     type: object
-  databases:
-    default: []
-    items:
-      properties:
-        name:
-          default: db
-          type: string
-      type: object
-    type: array
-  ingress-class:
-    default: traefik
+  issuer:
+    default: letsencrypt-prod
     examples:
-    - traefik
+    - letsencrypt-prod
     type: string
   domain-name:
     default: your_company.com
     examples:
     - your_company.com
     type: string
-  backups:
-    default:
-      enable: false
-      endpoint: ''
-      key-id-key: s3-id
-      retention:
-        db: 30d
-      schedule:
-        db: 0 3 * * *
-      secret-key: s3-secret
-      secret-name: backup-settings
+  ingress-class:
+    default: traefik
     examples:
-    - enable: false
-      endpoint: ''
-      key-id-key: s3-id
-      retention:
-        db: 30d
-      schedule:
-        db: 0 3 * * *
-      secret-key: s3-secret
-      secret-name: backup-settings
-    properties:
-      enable:
-        default: false
-        type: boolean
-      endpoint:
-        default: ''
-        type: string
-      key-id-key:
-        default: s3-id
-        type: string
-      retention:
-        default:
-          db: 30d
-        properties:
-          db:
-            default: 30d
-            type: string
-        type: object
-      schedule:
-        default:
-          db: 0 3 * * *
-        properties:
-          db:
-            default: 0 3 * * *
-            type: string
-        type: object
-      secret-key:
-        default: s3-secret
-        type: string
-      secret-name:
-        default: backup-settings
-        type: string
-    type: object
-  replicas:
-    default: 1
-    examples:
-    - 1
-    type: integer
-  issuer:
-    default: letsencrypt-prod
-    examples:
-    - letsencrypt-prod
+    - traefik
     type: string
 dependencies:
 - dist: null
   category: dbo
   component: pg
+- dist: null
+  category: share
+  component: authentik
+- dist: null
+  category: core
+  component: secret-generator
 providers:
   kubernetes: true
-  authentik: null
+  authentik: true
   kubectl: true
   postgresql: true
   restapi: null